Wireshark - Network Protocol Analyzer

Wireshark is the world's foremost and widely-used network protocol analyzer. It lets you see what's happening on your network at a microscopic level and is the de facto standard across many commercial and non-profit enterprises, government agencies, and educational institutions.

🎯 Purpose

• Network Troubleshooting: Diagnose network issues and performance problems
• Security Analysis: Detect malicious network activity and intrusions
• Protocol Development: Debug and develop network protocols
• Network Learning: Understand how network protocols work

🚀 Basic Usage

Capture Traffic

# Start Wireshark GUI
wireshark

# Command-line capture with tshark
tshark -i eth0 -w capture.pcap

# Capture specific number of packets
tshark -i eth0 -c 1000 -w capture.pcap

# Real-time display
tshark -i eth0

Display Filters

# HTTP traffic only
http

# Specific IP address
ip.addr == 192.168.1.100

# TCP traffic on port 80
tcp.port == 80

# DNS queries
dns

🔧 Common Display Filters

Protocol Filters

# Web traffic
http or https

# Email protocols
smtp or pop or imap

# File transfer
ftp or tftp or sftp

# Network management
snmp or icmp

# Database traffic
mysql or postgres

IP Address Filters

# Specific source IP
ip.src == 192.168.1.100

# Specific destination IP
ip.dst == 10.0.0.1

# IP range
ip.addr >= 192.168.1.0 and ip.addr <= 192.168.1.255

# Exclude specific IP
not ip.addr == 192.168.1.1

Port and Protocol Filters

# Specific port
tcp.port == 443

# Port range
tcp.port >= 1000 and tcp.port <= 2000

# UDP traffic
udp

# TCP flags
tcp.flags.syn == 1
tcp.flags.reset == 1

🎯 Security Analysis

Malware Detection

# Suspicious DNS queries
dns and not dns.response_in

# Large file transfers
tcp.len > 1000

# Unusual protocols
not (http or https or dns or icmp)

# Base64 encoded content
http contains "base64"

Network Reconnaissance

# Port scans
tcp.flags.syn == 1 and tcp.flags.ack == 0

# ICMP sweeps
icmp.type == 8

# ARP scans
arp

# DHCP discover packets
dhcp.option.dhcp == 1

Authentication Analysis

# Failed login attempts
http.response.code == 401

# NTLM authentication
ntlmssp

# Kerberos traffic
kerberos

# LDAP authentication
ldap

📁 Installation

Debian/Ubuntu

sudo apt update
sudo apt install wireshark

# Add user to wireshark group for non-root capture
sudo usermod -a -G wireshark $USER

Windows

Download from wireshark.org

macOS

# Using Homebrew
brew install wireshark

# Or download from official site

⚙️ Command Line Tools

tshark (Terminal Wireshark)

# Basic capture
tshark -i eth0 -w capture.pcap

# Live analysis
tshark -i eth0 -f "tcp port 80"

# Read from file
tshark -r capture.pcap

# Extract specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port

dumpcap (Capture Engine)

# High-performance capture
dumpcap -i eth0 -w capture.pcap

# Multiple files with rotation
dumpcap -i eth0 -b filesize:100000 -b files:5 -w capture

editcap (File Manipulation)

# Split large files
editcap -c 1000 large.pcap small.pcap

# Extract time range
editcap -A "2023-01-01 10:00:00" -B "2023-01-01 11:00:00" capture.pcap filtered.pcap

# Remove duplicates
editcap -d capture.pcap clean.pcap

💡 Pro Tips

Follow Streams

# Follow TCP stream
Right-click packet → Follow → TCP Stream

# Follow HTTP stream
Right-click HTTP packet → Follow → HTTP Stream

# Follow SSL stream
Right-click SSL packet → Follow → SSL Stream

Export Objects

# Export HTTP objects
File → Export Objects → HTTP

# Export TFTP objects
File → Export Objects → TFTP

# Export SMB/CIFS objects
File → Export Objects → SMB

Statistics and Analysis

# Protocol hierarchy
Statistics → Protocol Hierarchy

# Conversations
Statistics → Conversations

# Endpoints
Statistics → Endpoints

# IO graphs
Statistics → I/O Graphs

Custom Columns

Add useful custom columns:

• tcp.stream for TCP stream number
• http.request.method for HTTP methods
• dns.qry.name for DNS queries
• ssl.handshake.type for SSL handshake types

🔧 Advanced Features

Lua Scripting

-- Custom protocol dissector
local myproto = Proto("myprotocol", "My Protocol")

function myproto.dissector(buffer, pinfo, tree)
    -- Dissection logic here
end

Capture Filters (Berkeley Packet Filter)

# Capture only HTTP traffic
host www.example.com and port 80

# Capture packets with specific flags
tcp[tcpflags] & tcp-syn != 0

# Capture by MAC address
ether host 00:11:22:33:44:55

Remote Capture

# SSH tunnel for remote capture
ssh -L 2222:target:22 user@jumphost
wireshark -k -i <(ssh -p 2222 user@localhost 'tcpdump -U -s0 -w - -i eth0')

🚨 Important Notes

• Legal Compliance: Only capture traffic you're authorized to monitor
• Privacy Considerations: Network captures may contain sensitive information
• Performance Impact: Capturing can impact network performance
• Storage Requirements: Captures can grow very large quickly
• Encryption: Encrypted traffic appears as cipher text

📊 Performance Monitoring

Use Wireshark to monitor:

• Bandwidth utilization
• Response times
• Packet loss
• Retransmissions
• Connection patterns

---

Part of the HackerHub.me tool documentation series